Configure http to https redirection for Outlook on the web in Exchange 2016

Learn how to configure redirection for Outlook on the web in Exchange 2016 so http requests are automatically redirected to https.

By default in Exchange Server 2016, the URL https://<ServerName> redirects users to https://<ServerName>/owa. But, if anyone tries to access Outlook on the web (formerly known as Outlook Web App) by using http://<ServerName> or http://<ServerName>/owa, they'll get an error.

You can configure http redirection for Outlook on the web so that requests for http://<ServerName> or http://<ServerName>/owa are automatically redirected to https://<ServerName>/owa. This requires the following configuration steps in Internet Information Services (IIS):

Remove the Require SSL setting from the default website.

Restore the Require SSL setting on other virtual directories in the default website that had it enabled by default (except for /owa).

Configure the default website to redirect http requests to the /owa virtual directory.

Remove http redirection from all virtual directories in the default website (including /owa).

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "IIS Manager" entry in the Outlook on the web permissions section of the Clients and mobile devices permissions topic.

The procedures in this topic might cause a web.config file to be created in the folder %ExchangeInstallPath%ClientAccess\OAB. If you later remove http redirection for Outlook on the web, Outlook might freeze when users click Send and Receive. To prevent Outlook from freezing after you remove http redirection, delete the web.config file in %ExchangeInstallPath%ClientAccess\OAB.

Secure Sockets Layer (SSL) is being replaced by Transport Layer Security (TLS) as the protocol that's used to encrypt data sent between computer systems. They’re so closely related that the terms "SSL" and "TLS" (without versions) are often used interchangeably. Because of this similarity, references to "SSL" in Exchange topics, the Exchange admin center, and the Exchange Management Shell have often been used to encompass both the SSL and TLS protocols. Typically, "SSL" refers to the actual SSL protocol only when a version is also provided (for example, SSL 3.0). To find out why you should disable the SSL protocol and switch to TLS, check out Protecting you against the SSL 3.0 vulnerability.

Open IIS Manager on the Exchange server. An easy way to do this in Windows Server 2012 or later is to press Windows key + Q, type inetmgr, and select Internet Information Services (IIS) Manager in the results.

Expand the server, and expand Sites.

Select Default Web Site. and verify Features View is selected at the bottom of the page.

In the IIS section, double-click SSL Settings.

On the SSL Settings page, clear the Require SSL check box, and in the Actions pane, click Apply.

Note: To perform this procedure on the command line, open an elevated command prompt on the Exchange server (a Command Prompt window you open by selecting Run as administrator) and run the following command:

When you change the Require SSL setting on a website in IIS, the setting is automatically inherited by all virtual directories in the website. Because we're only interested in configuring Outlook on the web, you need to restore the Require SSL setting for other virtual directories that had it enabled by default.

Select the virtual directory, and verify Features View is selected at the bottom of the page.

In the IIS section, double-click SSL Settings.

On the SSL Settings page, select the Require SSL check box, and in the Actions pane, click Apply.

Repeat the previous steps on each virtual directory in the default website that had Require SSL enabled by default (except for /owa). The only virtual directories that don't have Require SSL enabled by default are /IES, /PowerShell, and /Rpc.

Note: To perform these procedures on the command line, replace <VirtualDirectory> with the name of the virtual directory, and run the following command in an elevated command prompt:

When you enable redirection on a website in IIS, the setting is automatically inherited by all virtual directories in the website. Because we're only interested in configuring redirection for the default website, you need to remove the redirect setting from all virtual directories. By default, no directories or virtual directories in the default website are enabled for redirection. For more information, see the Default Require SSL and HTTP Redirect settings in the default website on an Exchange 2016 server section

Use the following procedure to remove the redirect setting from all virtual directories in the default website (including /owa):